2 factor auth using openid proposal
opensource at till.name
Thu Jan 24 18:53:45 UTC 2013
On Thu, Jan 24, 2013 at 09:05:39AM -0800, Toshio Kuratomi wrote:
> * I know that implementing 2fa to log into fas will cause a lot of breakage
> that we'll have to fix before we deploy:
> - session cookie for fas would have to change so you don't have SSO
> between FAS and other apps.
Wouldn't it be enough to add a field to the session data that stores
whether 2FA has been used or not? Then SSO is still possible from FAS to
other apps, but if a valid session is provided, FAS might only ask for
a valid token value.
> - python-fedora api would need to be modified so it can log into fas.
> - web apps would need to be modified so they could log into fas
> with/without 2fa
You could allow to just concatenate the password and hardware token
values and submit this as the new password. I believe this is often
implemented with RSA tokens, where a PIN and the current token value
need to be provided as password.
More information about the infrastructure